DownUnderCTF - ogres are like onions
DFIR - easy
if you see this you have to post in #memes thems the rules
1
|
docker run -tp 8000:8000 downunderctf/onions
|
hint
Author: emily
Write-up
For this challenge if first took a look at the hint, which was nothing really helpful, at first I did not understood the link between onions and docker layers.
So I just ran the docker to start the challenge and it gives me a site with memes about shrek, so nothing intresting at first sight but it noticed that the last meme is not printed.
So I check the source code of the page and see that the last image name is flag.jpg.
Having already done some docker forensics challenges I knew it was probably a flag that was deleted in a layer of the docker image.
So I used dive (great docker forensics tool) to check if my theory was correct. And what do I see ? A deleted flag.
Then I just had to save the docker image to get the inside content of the layers and the read the flag from the jpg.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
$ docker save downunderctf/onions -o onions.tar
$ tar -xvf onions.tar
3e571912155d9bac1a5285bf1c21105bea53585f77a159316eed491882710ab2/
3e571912155d9bac1a5285bf1c21105bea53585f77a159316eed491882710ab2/VERSION
3e571912155d9bac1a5285bf1c21105bea53585f77a159316eed491882710ab2/json
3e571912155d9bac1a5285bf1c21105bea53585f77a159316eed491882710ab2/layer.tar
506946d44c8939efe882d5fd59797d22f2fe84adb7e2b7af066ca1563c11d464/
506946d44c8939efe882d5fd59797d22f2fe84adb7e2b7af066ca1563c11d464/VERSION
506946d44c8939efe882d5fd59797d22f2fe84adb7e2b7af066ca1563c11d464/json
506946d44c8939efe882d5fd59797d22f2fe84adb7e2b7af066ca1563c11d464/layer.tar
a6bad0ec2bc89c6e853793402438b32a1712d62883f7559f7ca9f3dc9b21e56f/
a6bad0ec2bc89c6e853793402438b32a1712d62883f7559f7ca9f3dc9b21e56f/VERSION
a6bad0ec2bc89c6e853793402438b32a1712d62883f7559f7ca9f3dc9b21e56f/json
a6bad0ec2bc89c6e853793402438b32a1712d62883f7559f7ca9f3dc9b21e56f/layer.tar
b304ef4d10bbddefcb6b84240cf39856f8ffce7ea668cc16224b55ab632ec991/
b304ef4d10bbddefcb6b84240cf39856f8ffce7ea668cc16224b55ab632ec991/VERSION
b304ef4d10bbddefcb6b84240cf39856f8ffce7ea668cc16224b55ab632ec991/json
b304ef4d10bbddefcb6b84240cf39856f8ffce7ea668cc16224b55ab632ec991/layer.tar
bd4a058271e0f6d7b1872431920b368e288c921f914ff7eeb18ef31fea55a609/
bd4a058271e0f6d7b1872431920b368e288c921f914ff7eeb18ef31fea55a609/VERSION
bd4a058271e0f6d7b1872431920b368e288c921f914ff7eeb18ef31fea55a609/json
bd4a058271e0f6d7b1872431920b368e288c921f914ff7eeb18ef31fea55a609/layer.tar
c567f7c571cc9d293e1db522d4b92cf099af0d1b33a602f08c774d936dda5d14/
c567f7c571cc9d293e1db522d4b92cf099af0d1b33a602f08c774d936dda5d14/VERSION
c567f7c571cc9d293e1db522d4b92cf099af0d1b33a602f08c774d936dda5d14/json
c567f7c571cc9d293e1db522d4b92cf099af0d1b33a602f08c774d936dda5d14/layer.tar
e4ad5b4d937957505137d0b36cea99d143f390c7909024bd99f8b56d529d7c4a.json
ea1db2f960240f873ca40539a0b85af19cc547223c7495fb35c82396ffe264c3/
ea1db2f960240f873ca40539a0b85af19cc547223c7495fb35c82396ffe264c3/VERSION
ea1db2f960240f873ca40539a0b85af19cc547223c7495fb35c82396ffe264c3/json
ea1db2f960240f873ca40539a0b85af19cc547223c7495fb35c82396ffe264c3/layer.tar
ffcb66dea20af1075a1e69dd4506b63d9c6162f32c267aebc5f08587e9ff4793/
ffcb66dea20af1075a1e69dd4506b63d9c6162f32c267aebc5f08587e9ff4793/VERSION
ffcb66dea20af1075a1e69dd4506b63d9c6162f32c267aebc5f08587e9ff4793/json
ffcb66dea20af1075a1e69dd4506b63d9c6162f32c267aebc5f08587e9ff4793/layer.tar
manifest.json
repositories
$ cd 506946d44c8939efe882d5fd59797d22f2fe84adb7e2b7af066ca1563c11d464
$ tar -xvf layer.tar
app/
app/Dockerfile
app/index.html
app/memes/
app/memes/1.jpg
app/memes/2.jpg
app/memes/3.jpg
app/memes/4.jpg
app/memes/flag.jpg
$ fifefox app/memes/flag.jpg
|
